EXPLOIT RESEARCHEXPLOIT DEVELOPMENT WITH

MONA

Kerala Cyber Force

www.keralacyberforce.in

Ajin Abraham

@ajinabraham

@ajinabraham

WHAT IS ?

• Mona is a plugin for Immunity Debugger or WinDBG developed by Peter of Corelan Team.

• Mona is a Python Script that will simplify the efforts of an Exploit Developer into many folds.

• As far as I think this tool is created to make Exploit Development N00bish.

• You don’t have to spend days and hours for exploit development.

• Mona will do almost everything for you.

@ajinabraham

SET OF COMMANDS SUPPORTED BY MONA

@ajinabraham

GLOBAL OPTIONS THAT YOU CAN APPLY AS FILTERS

@ajinabraham

MONA INITIAL CONFIGURATION

Download Mona, copy it to PyCommands directory of Immunity Debugger.• !mona config -set workingfolder

Ex: !mona config -set workingfolder C:\Mona\%p%p – based on process%i – based on process id

@ajinabraham

GLOBAL OPTIONS OR FILTERS• -n : Skip modules that start with a null byte.

• -o : Skip OS modules.

• -p <nr> : Stop search after <nr> pointers.

• -m : Limit by 1 or more modulesEX: !mona seh –-m “ntdll”,”xyzdll”

• -cm : Limit by a module propertyEx: !mona seh –-cm aslr=false,os=trueAvailable options are : aslr,safeseh,os,rebase,nx

• -cp : Limit by the pointer propertiesEx: !mona seh –-cp unicodeAvailable options are : unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev

• -cpb : Limit by bytes in pointers (Can be used for bad character filtering)Ex: !mona seh –cpb “\x00\x0a\x0d\x20”

@ajinabraham

COMMANDS

• !mona pc <size> : Generate cyclic pattern similar to pattern_create.rb

• !mona po <4 byte pattern> : Locates the given 4byte in the cyclic pattern

• !mona findmsp : Find register overwritten with the pattern.Find register that points into a pattern.Find pointers on stack that points into a pattern.Shows all the location of the Cyclic pattern.Shows the pattern size.

@ajinabraham

COMMANDS

• !mona mod : List all the loaded modules along with there properties.

• !mona bytearray : Generate the Bytes from 0x00 to 0xFF.

• !mona bytearray –-b “<list of bytes>” : Generates Bytes from 0x00 to 0xFF excluding the list of bytes.

• This will be so handy to check for bad characters during exploit development.

• !mona jmp –-r <register> : To find out the pointers that jump to a given register.

Ex:!mona jmp –-r esp –-m “ntdll” –cm os=true –cp nonull

• !mona noaslr : Show modules that are not aslr or rebased.

• !mona nosafeseh : Show modules that are not safeseh protected.

• !mona seh : List out the pointers to PPR or Call Dword.

• !mona egg –-t <tag> : To create the egghunter code including the specified tag.

@ajinabraham

COMMANDS

• !mona rop : To generate gadgets including a running ropfunc and stackpivot.

• !mona ropfunc : To find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain (API’s and the Close API’s).

• !mona stackpivot : To find out the stack pivots.

• !mona find : To find bytes in the process memory.

• !mona findwild : To find instructions in the process memory applying wildcard.

@ajinabraham

COMMANDS

• !mona header : Creates an Ruby exploit header from POC.Ex: !mona header –-f “<path>”

• !mona skeleton : Creates a Metasploit module skeleton.

• !mona suggest : Creates a Metasploit module once you control the EIP or SEH with cyclic pattern.

@ajinabraham

FIGURE OUT OTHER COMMANDS BY YOURSELF

• assemble

• dump

• stacks

• gflags

• breakpoint

• compare

• ................................... etc.

@ajinabraham

THANKS

@AJINABRAHAM

Good Read : https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/